Firefox 151 Boosts Anti‑Fingerprinting, Adds Local‑Network Permission Prompts, and Patches Critical Sandbox Escape (CVE‑2026‑8953)
What Happened – Mozilla released Firefox 151.0, delivering three high‑impact privacy and security upgrades: stronger anti‑fingerprinting, mandatory permission prompts for local‑network access, and a new “end private session” button. The update also patches a critical sandbox‑escape vulnerability (CVE‑2026‑8953) in the Disability Access APIs component.
Why It Matters for TPRM –
- Reduces the data‑leak surface for employees using browsers on corporate devices.
- Limits inadvertent exposure of internal network services to malicious web pages.
- Demonstrates vendor responsiveness to zero‑day bugs, a key factor in third‑party risk assessments.
Who Is Affected – All organizations whose workforce uses Mozilla Firefox on Windows, macOS, or Linux; especially those in regulated sectors (finance, healthcare, government) that enforce strict browser hardening.
Recommended Actions –
- Verify that your organization’s endpoint management tools enforce the latest Firefox version.
- Update browser security baselines to include the new “end private session” control and local‑network permission prompts.
- Review vendor risk scores for Mozilla, noting the rapid patch of CVE‑2026‑8953 as a positive security posture indicator.
Technical Notes – The anti‑fingerprinting changes cut uniquely identifiable users by ~14% overall and ~49% on macOS by limiting exposed device attributes. Local‑network restrictions now trigger permission dialogs for any site attempting to reach LAN devices, mirroring Chrome/Edge behavior. CVE‑2026‑8953 is a use‑after‑free sandbox escape in the Disability Access APIs; no wild‑use reports exist, but the fix prevents potential arbitrary code execution. Source: Malwarebytes Labs